Substack has confirmed that an unauthorized third party accessed its systems in October 2025, resulting in the exposure of user email addresses, phone numbers, and other internal metadata, though the company says that passwords, credit card details, and other financial data were not accessed; the incident was discovered in early February 2026 and users are being warned to watch for phishing and suspicious communications as the breach may have affected hundreds of thousands of records. Source coverage reports the incident, the company’s notification to users, and details about the data involved.
Sources
https://www.theverge.com/tech/874255/substack-data-breach-user-emails-phone-numbers
https://www.csoonline.com/article/4128287/substack-data-breach-leaks-users-email-addresses-and-phone-numbers.html
Key Takeaways
• A data breach at Substack exposed user contact information — specifically email addresses, phone numbers, and unspecified internal metadata — from an intrusion that occurred in October 2025 and was only identified in February 2026.
• Substack asserts that more sensitive user data — including passwords, credit card numbers, and financial information — were not compromised, though the exact number of accounts affected has not been disclosed.
• Security analysts warn that exposed contact information could facilitate phishing, SMS scams, and social engineering attacks, and users are being urged to remain vigilant for suspicious communications.
In-Depth
In a concerning development for digital privacy and platform trust, Substack has publicly confirmed that it experienced a significant security breach in October 2025 that resulted in the exposure of user email addresses, phone numbers, and other internal metadata from its systems. The incident went undetected for several months and was only identified in early February 2026, prompting the company to notify those potentially affected and warn about the risks that can follow such breaches.
According to the notification Substack sent to users, an “unauthorized third party” gained access to the platform’s internal systems in October of last year. While Substack maintains that sensitive information including passwords and financial data like credit card numbers remained secure, the breach of email addresses and phone numbers is nonetheless serious. Such information is the backbone of personal digital identity and can be easily weaponized by bad actors to craft targeted phishing emails, SMS scams, and social engineering campaigns that impersonate trusted platforms or individuals. This kind of breach doesn’t just expose account details — it gives attackers the raw material needed to deceive victims into revealing more sensitive information or clicking on malicious links.
The fact that Substack did not detect the intrusion for nearly four months raises questions about the robustness of its internal monitoring and detection protocols. It’s unclear exactly how many users are affected, with reports suggesting the possibility that hundreds of thousands of accounts — if not more — are involved, given hints on cybercrime forums of a large dataset circulating online. Substack has said it has since patched the vulnerability and is conducting a thorough investigation, but many users have been left vulnerable in the interim.
Security experts emphasize that when email addresses and phone numbers are exposed, the subsequent risk doesn’t end with the initial breach. Attackers often use such exposed data to launch highly convincing phishing campaigns designed to elicit responses that lead to deeper compromise. For example, fraudsters can send messages that appear to come from Substack or affiliated services, urgently requesting users to “verify” credentials or “update” account settings, thereby tricking recipients into handing over secure information. In some cases, knowledge of a user’s phone number can also aid in SIM-swap attacks, where attackers persuade mobile carriers to transfer control of a phone number to another device, allowing them to intercept authentication messages and potentially bypass multi-factor authentication.
Users affected by the incident are being urged to exercise heightened vigilance. That includes being cautious of unsolicited emails or texts that reference Substack or related services, avoiding clicking on links in messages that seem suspicious, and manually navigating to official sites to check account status rather than responding to prompts received in unsolicited communications. Additionally, adopting stronger protections such as unique email addresses across services, using authenticator apps instead of SMS for two-factor authentication, and employing password managers to ensure unique, strong passwords can help mitigate the damage from this and future breaches.
For Substack itself, the breach represents a test of its commitment to user privacy and platform integrity. Trust is central to its business model, which connects newsletter creators with audiences in direct and personalized ways. Users are now looking to the company to be transparent about what went wrong, how many accounts were compromised, and what steps will be taken to prevent similar incidents as data privacy concerns continue to dominate the digital landscape. In the meantime, the broader lesson underscores that even well-funded and widely used platforms are vulnerable to cybersecurity failures, and that users must remain proactive about protecting their own digital information.